Epoline SmartCard encrypting and signing E-mails

[Jani]

How can I use Epoline SmartCard security card for encrypting and signing E-mails and attachments?

How is the public keys server for EPO CA accessed?



Thanks in advance.

[Martin M]

As far as I know this is not allowed according to the certificate policy.
It is not advisable, too, since nearly nobody has the root certificates of EPO installed and they are not downloadable from a secure site.
(Anyway, I tried it some months ago and it worked from a technical point of view.)

[Jani]

.... I tried it some months ago and it worked from a technical point of view.

Martin M, thank you very much for this information. I am very glad that it is technical possible. It was an idea to have a security communication within a group of European Patent Attorneys (for an instance an EPI committee) where all members have Epoline SmartCard.

Do you think that such a use could not be allowed according to the certificate policy?

[Martin M]

Well, read yourself:
http://www.epoline.org/smartcardrepository.html
At least the certificates are not intended for any purpose than for secure communication with the EPO.

[alexthurgood]

Martin M, thank you very much for this information. I am very glad that it is technical possible. It was an idea to have a security communication within a group of European Patent Attorneys (for an instance an EPI committee) where all members have Epoline SmartCard.

Hi Jani,

This may seem a rather dim comment on my part, and I'm sorry I didn't notice this post earlier, but why don't you all just set up a GnuPrivacy Guard (GnuPG) or Pretty Good Privacy (PGP) key and then send each other encrypted e-mail with a corresponding choice of key length ? No need for smartcards, and you can install PGP/GnuPG signing software for free on virtually all platforms and in most major e-mail clients.


Alex Thurgood

[Martin M]

Well, the difference between smartcards and PGP (or other software solutions) is like between a bank safe and a cupboard. It is easy to copy information stored on a hard disk, but it is nearly impossible to copy a smartcard.

[alexthurgood]

Well, the difference between smartcards and PGP (or other software solutions) is like between a bank safe and a cupboard. It is easy to copy information stored on a hard disk, but it is nearly impossible to copy a smartcard.

Hi Martin,

Of course, but in that case, one shouldn't leave one's computer lying around open to others or open its ports via the net As has been shown on numerous occasions here in France, Smartcards (for example banking debit cards) can and have been falsified, and I'm not talking about the magnetic stripe. As usual, the system is only as good as the weakest link.

On a side note, I read a security report today that said that encrypting your data could in fact be dangerous to your company's security !!! It seems that one can't win either way.

In the French eOLF, you need to go and pick up your smartcard personally (or authorise someone) from the INPI, they won't send it to you. Yet banks will regularly send you your bank debit card via normal post. Go figure. Why filing a French patent application should be considered by the state to be more sensitive than your own personal or business bank account data is beyond me, especially since you can only use it with the French PTO, but I digress Perhaps we should be asking our banks instead why they don't take security more seriously !!

Alex

[Martin M]

Perhaps we should be asking our banks instead why they don't take security more seriously !!

Yes, indeed.
Digital signature offers MUCH more security than bank cards, and could not be copied up to now. As soon as somebody finds a way to copy them, ALL those smartcards must be revoked according to the current law.
In fact, every certificate is based upon key pairs, a private key and a public key. The private key is generated WITHIN the smartcard and stored therein. It cannot be read out. The public key is generated within the smartcard as well, but can be read out and is usually published by the certification authority.
In fact, the smartcards do never output the private key stored therin, but they encrypt an input number using this private key and output the encrypted number. Up to now nobody could find a way how to get the private key by knowing only pairs of numbers and the corresponding encrypted numbers or by knowing the public key.
If you sign a document, a so called hash value is calculated by the PC, this hash value is sent to the smart card and the resulting encrypted hash value is returned to the PC and stored with the document.
If the signature is tested, the hash value is once again calculated (and should be the same as before if the document was not amended in the meantime), the encrypted hash value is decrypted using the public key and compared with the hash value.
Encryption is quite similar. A random number is calculated by your PC and used to encrypt the document. This random number is encrypted by the smartcard using the public key and stored with the document. For decryption, this encrypted random number is sent to the smart card, decrypted using the private key, and the decrypted number is output to the PC which is now able to decrypt the document using this number.

It's really much more secure than paper signatures.

Note: This only applies to "secure signatures". There are also less secure certificates for "simple" signatures and encryption. With these less secure certificates, the private key is generated outside the card, so the certification authority is able to store this key as well and to produce a replacement card in case the original card is lost. Otherwise you would never be able to read your encrypted files once your card gets lost or damaged.

[Jani]

Well, read yourself:
http://www.epoline.org/smartcardrepository.html
At least the certificates are not intended for any purpose than for secure communication with the EPO.

Thank you Martin. As written: it is enough good reason why Epolin SmartCard should not be used for other purposes. I have no idea what is the aim of such strong limitation of usage?

Hi Jani,

This may seem a rather dim comment on my part, and I'm sorry I didn't notice this post earlier, but why don't you all just set up a GnuPrivacy Guard (GnuPG) or Pretty Good Privacy (PGP) key and then send each other encrypted e-mail with a corresponding choice of key length ? No need for smartcards, and you can install PGP/GnuPG signing software for free on virtually all platforms and in most major e-mail clients.

Alex Thurgood

Thank you Alex for this suggestion, but an idea was to establish somehow a real secure system which offers usage of Epoline SmartCard for communication between members of a closed group of owners of Epoline SmatCards. Since it is technical possible why some kind of security system communication would not be implemented as a byproduct by EPI or EPO for communication between members of EPI?

Jani